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Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
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Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )^l Responsive to communication(s) filed on 16 October 2009 . 
2a )□ This action is FINAL. 2b)^ This action is non-final. 

3) Q Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) See Continuation Sheet is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) E3 Claim(s) 105.107. 109-115.117.118.127-130.133-151.168.169.171.172.174.175.177 and 178 is/are allowed. 
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Continuation Sheet (PTOL-326) Application No. 10/647,644 

Continuation of Disposition of Claims: Claims pending in the application are 105,107,109-1 15,1 17,1 18, 127-130, 133- 
156,159,162-166,168,169,171,172,174,175,177,178 and 180-185. 
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DETAILED ACTION 

Response to Amendment 

This office action is responsive to Applicant's amendment and remarks received 
on 10/16/2009. Claims 105,107, 109-115, 117-118, 127-130, 133-156, 159, 162-166, 
and 168-169, 171-172, 174-175,177-178, and 180-185 are pending. 

Continued Examination Under 37 CFR 1.114 
1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.1 14. Applicant's submission filed on October 10, 2009 has been entered. 



Allowable Subject Matter 

Claims 105,107, 109-115, 117, 118, 127-130, 133-151, 168-169, 171-172, 174-175, and 
177-178 are allowed. 
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Response to Arguments 

Applicant's arguments filed on October 10, 2009 have been fully considered but 
they are not persuasive because of the following reasons: 

Regarding Claims 152-156, 159, 162-166, and 180-185 applicant argued that the 
Kouznetsov's analyzer 19 waits for system calls to b made by the code under 
investigation, and then intercepts/analyzes such calls, while the method of claim 152 
and 159 selects an active program, executes each of the recited first and second, 
plurality of detections routines, and, upon completion, categorizes the code under 
investigation using results of the executed detection routines" 

This is not found persuasive. The cited system clearly teaches and describes a 
dynamic computer virus detection system that monitors runtime state within defined 
computing environment, and tracks sequence of execution of monitored execution for 
each application . A histogram describing the occurrence of specific execution event 
sequence characteristic of computer virus behavior for each application, is also created 
(Kouzentsov: col. 5, line 18 to col. 6, line 30, and Chess: col. 5, line 55 to col. 6, line 35). 

Therefore, the examiner asserts that cited prior art(s) does teach or suggest a 
method and apparatus for detecting malicious code in an information handling system 
as recited in independent and dependent claims. Accordingly, rejections for claims 20- 
35 are respectfully maintained. 
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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 152-156, 159, 162-166, and 180-185 are rejected under 35 U.S.C. 103(a) 
as being unpatentable over Kouznetsov, (U.S. Patent No. 6,973,577), in view of Chess 
et al., (U.S. Patent No. 6,772,346 and Chess hereinafter). 

1 . Regarding claims 152, and 159 Kouznetsov discloses a computer-implemented 
method comprising: 

the program is running on an operating system of the computer system (col. 5, 
lines 18-65 and col. 6, lines 1-30, and (i.e., wherein code under investigation is each of 
the incoming system calls 91 ,92, and 93 generated by the applications 33, 34, and 35 
(shown in figure 2)); and 
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executing each of the first and second plurality of detection routines on the 
operating system of the computer system (i.e., static analyzer 52 and dynamic analyzer 
53) (col. 4, lines 47-58), wherein said executing includes: 

system of the computer system to gather information about the first program, 
including characteristics and behaviors of the first program, wherein the first plurality of 
detection routines are executable to detect characteristics and behaviors indicative of 
valid code, and wherein the second plurality of detection routines are executable to 
detect characteristics and behaviors indicative of malicious code ; upon completing 
execution of each of the first and second plurality of detection routines(i.e., static 
analyzer 52 performs behavior checking and generates alerts and histograms only if 
patterns of suspicious events are observed. Dynamic analyzer 53 analyzes histograms 
and identifies behavioral repetitions within the histograms which indicate behavior 
characteristic of a computer virus/compromise) (col. 4, lines 38-67 and col. 5, lines 1-7); 

use the result (i.e., the results indicated by static analyzer 52 and dynamic 
analyzer 53) to categorize the code under investigation with respect to the likelihood of 
the code under investigation compromising the security of the computer system (i.e., 
computer viruses are self-replicating program code which often carry malicious and 
sometimes destructive payloads and "malware" can include Trojan horses, hoaxes, and 
spam mail - col. 1, lines 45-48)(col. 5, lines 18-67 and col. 6, lines 1-30); 

use the result to categorize the code under investigation with respect to the 
likelihood of the code under investigation compromising the security of the computer 
system (i.e., computer viruses are self-replicating program code which often carry 
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malicious and sometimes destructive payloads and "malware" can be categorized in the 
following: Trojan horses, hoaxes, and spam mail - col. 1, lines 45-48) (col. 5, lines 18-67 
and col. 6, lines 1-30). 

Kouznetsov does not explicitly disclose a functionality that result/determines the 
monitored result/code under investigation as valid/non-malicious code. 

However, Chess discloses applying a detection routine to the code under 
investigation to obtain a result, weighting such result to obtain a first score indicative of 
whether the code under investigation has characteristics and/or behaviors typically 
associated with malicious code with valid code (i.e., files determined to be non- 
malicious)^!. 5, lines 55-67 and col. 6, lines 1-21), and applying a second detection 
routine to the code under investigation to obtain a second result, weighting such second 
result to obtain a second score indicative of whether the code under investigation has 
characteristics and/or behaviors typically associated with malicious code (col. 6, lines 
19-29); 

Chess further discloses upon completing the executing of the first and second 
plurality of detection routines, using the first and/or second scores to categorize the 
code under investigation with respect to the likelihood of the code under investigation 
compromising the security of the computer system (i.e., the filtering step may include 
the steps of determining whether a file contains known malicious code that is correctly 
handled by an existing protection definition)(col. 5, lines 55-67 and col. 6, lines 1-35). 

Therefore, it would have been obvious to a person of ordinary skill in the art at 
the time of applicant's invention to modify teachings of Kouznetsov with teachings of 



Application/Control Number: 10/647,644 Page 7 

Art Unit: 2431 

Chess because it would allow scoring/determining the monitored events/code under 
investigation as valid/non-malicious and invalid/malicious code as disclosed by Chess. 
One of ordinary skill in the art would have been motivated by the suggestion of Chess to 
filter out undesirable mails (i.e., files) from client inboxes (Chess, col. 9, lines 23-30). 

2. Regarding claims 153-156, and 162-166, Kouzentsov discloses determining 
from the score (i.e., repetitions of suspicious behavioral patterns) that the code under 
investigation is malicious code (col. 5, lines 43-58 and col. 6, lines 63-67 and col. 7, 
lines 1-10). 

Chess further discloses wherein the determination that the code under 
investigation is malicious code is based on the first score not exceeding a valid code 
threshold value (i.e., matches between code under investigation and the records of 
database 210 of known non-malicious files) and the second score exceeding a 
malicious code threshold value (i.e., matches between code under investigation and the 
records of database 220 of known malicious code descriptions) (col. 6, lines 5-35). 
Chess further discloses clustering files within each classification by using a code- 
similarity metric to determine the similarity of the possibly-malicious code in each file to 
the corresponding code in the other files and grouping together those files which are 
closest according to the metric (col. 7, lines 33-46). 



3. Regarding claim 180-185, Kouzentsov discloses wherein: 



Application/Control Number: 10/647,644 Page 8 

Art Unit: 2431 

each of the detection routines within the first and second plurality of detection 
routines gathers a different type of information about the code under investigation, and 
wherein the first and second pluralities of detection routines are not themselves running 
on the operating system of the computer system in a manner that prevents the code 
under investigation from infecting the computer system (col. 4, line 38 to col. 6, Iine30). 

there is at least one detection routine within the collective first and second 
pluralities of detection routines that, when executed, obtains information about the code 
under investigation by accessing the operating system of the computer system via an 
API of the operating system (col. 4, line 38 to col. 6, Iine30). 

the first and second pluralities of detection routines collectively include a first 
detection routine that determines a behavior of the code under investigation and a 
second detection routine that determines a characteristic of the code under investigation 
(Kouzentsov: col. 5, line 18 to col. 6, Iine30, and Chess: col. 5, line 55 to col. 6, line 35). 

further comprising: for each of a plurality of additional programs running on an 
operating system of the computer system: 

execute each of the first and second pluralities of detection routines on the 
operating system of the computer system relative to that additional program; use results 
of the execution of the first and second pluralities of detection routines to categorize that 
additional program as to the likelihood of that additional program compromising the 
security of the computer system (col. 5, line 18 to col. 6, line 30). 
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Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to SYED ZIA whose telephone number is (571)272-3798. The 
examiner can normally be reached on 9:00 to 5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 571-272-3795. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

sz 

November 8, 2009, 2009 
/Syed Zia/ 

Primary Examiner, Art Unit 243 1 



